CI 2: "The action you have requested is not allowed."

[eluser]sl3dg3hamm3r[/eluser]
Hey there

I am working into CI 2.0 beta. I have a simple form, which results in following error after sending:

An Error Was Encountered
The action you have requested is not allowed.

This error seems to be generated by Security.php. First I thought it has something to do with the CSRF-token which is generated by form_open(), so I wrote the html manually without token, but same result. What could trigger this behaviour?

Thx for any tipps
sl3dg3

[eluser]sl3dg3hamm3r[/eluser]
When I set

Code:

$config['csrf_protection'] = FALSE;

it works - so yeah, it definitely has something to do with the csrf-token... :/

[eluser]pickupman[/eluser]
You are correct. The have finally finished this up in the latest update. When set to true, form_open() will add the hidden token value to the form. If you are creating the <form > tag manually, and have csrf set to TRUE, you will need to add this value in.

This gets a little tricky with some web services like Paypal/JSON/AJAX. If you try using IPN which POSTs data back, you will have problems. I found it best to create a whitelist of IP addresses to turn off the protection. Or use

Code:

$this->config->set_item('csrf_protection', TRUE);

[eluser]sl3dg3hamm3r[/eluser]
Hmmmm. Not sure if I have the latest version (can't find the download-link anymore), most probably not - as a matter of fact, it doesn't work with form_open() and config set to true.

[eluser]pickupman[/eluser]
[url="http://bitbucket.org/ellislab/codeigniter/"]CI2 Download Link[/url]

[eluser]Unknown[/eluser]
[quote author="pickupman" date="1281590031"]This gets a little tricky with some web services like Paypal/JSON/AJAX. If you try using IPN which POSTs data back, you will have problems. I found it best to create a whitelist of IP addresses to turn off the protection.[/quote]

Sorry to resurrect this, but I am having issues with Paypal IPNs using CI2 and wondered if this could relate. Where would you recommend implementing this whitelist? If I use the above code to disable the protection, is it ok to do it temporarily in my Paypal IPN handler, perform my operations, then re-enable the protection at the end without any issues?

Thanks!

[eluser]pickupman[/eluser]
I created a conditional statement in application/config/config.PHP and for turning csfr on and off based on IP address of the request.

[eluser]Unknown[/eluser]
[quote author="pickupman" date="1281590031"]... If you are creating the <form > tag manually, and have csrf set to TRUE, you will need to add this value in.[/quote]

I stumbled on this via google when I had the same problem. I'm hard-coding my forms without the form helper, which means I miss out on including the token value. To do that, I included the following hidden input item:

Code:

<input type="hidden" name="<?php echo $this->security->csrf_token_name?>" value="<?php echo $this->security->csrf_hash?>" />

Hope that helps someone! (Or maybe someone could point out any errors with this method?)

[eluser]EvilivE[/eluser]
exactly what i was looking for, thanks.

[eluser]Ricardo Martins[/eluser]
I have a similar problem.
I have a method on a controller, that will receive $_POST data from an external webservice.
How can I disable CSRF only for this method?

I also tried $this->config->set_item('csrf_protection', FALSE);
but it doesnt work.

Thank you very much